From: N «<1: <on- 


Sent: 27 February 2020 10:55 
To: directmarketingcode 
Subject: Response to consultation on direct marketing code of practice 


External: This email originated outside the ICO. 
Dear ICO 


Please find below some comments on the draft code that | hope you will find useful. 


Kind regards 


Service messages (pages 22-23) 

| am concerned with your classification of a GP surgery message about the flu jab being considered marketing. 

The system in UK works in a particular way. If you are in a risk category you are eligible for a free flu jab. Your 
surgery has this information on your file and so they have to tell you when that jab is available, as a public health 
matter. Although it is voluntary, you absolutely have to tell those who are eligible when the service is available. Did 
you perhaps instead intend to refer to messages sent to all patients such as where the surgery runs a paid-for flu jab 
service? If so then it needs to be much clearer. In the example, while the message is about a service, it is also about 
the patient's care, where that patient is in a risk category that leads to them being eligible for a free flu jab. 


Perhaps it might be prudent to use another example to make the point in question. It is not unreasonable to think 
that a consequence of this example remaining in the guidance is that surgeries stop telling people who are eligible 
for free flu jabs about when this service is available And that would be a public health disaster, as well as an 
example of data protection being a barrier when it shouldn't be. 


- DPIA (page 28) 

This section lists processing operations where a DPIA is required. But then after the list it states that some of the 
processing operations require a DPIA automatically and others require a DPIA if they occur in combination with any 
other criterion from the European guidelines on DPIAs. It would be much more helpful, especially for small 
companies without dedicated privacy resources, to clearly list in this section which processing activities 
automatically require a DPIA and which only do if another criterion is present - and then list the other criterion. 


- Accurate records (page 40) 

In this section, one bullet point is ‘objections, opt-outs, withdrawals of consent’ and the next one is ‘suppression 
lists’. Objections, opt-outs and withdrawals of consent are all the same thing, and the fact a person is ona 
suppression list is the record / evidence that they opted out. The risk here is that it looks like you have to keep more 
paperwork than you really do and makes it seem much more complicated than it really is. 


- Children's data (page 43) 
| am surprised you have not referenced here the ICO age-appropriate design code of practice. 


- Refer a friend schemes (page 83) 
| recommend reading the DPN's assessment here: https://dpnetwork.org.uk/opinion/refer-a-friend-viral-marketing- 


rules/ 


- Marketing and apps (page 95) 

This section assumes that all ads in apps are from third-party advertisers. There is no mention of a company 
promoting itself, its other products, its third-party partners and so on in its own app. Even if the same rules apply it 
would be helpful to be clear about this. 


- Location data (page 96) 

This section is not clear about where the line is. A location such as UK or India is a very different thing from a precise 
geo-location. For example, you shouldn't need to get consent to show different marketing material to users in the 
UK versus users in India. Or to only show alcohol-related ads to users over 18. 


- When online advertising is considered 'targeted' 

| don't think the draft code is clear enough about where the line is for when online advertising becomes targeted. If 
you instruct a third party (such as in the adtech ecosystem) to show your ads to certain types of users, how granular 
do you need to get before it counts as 'singling out' or ‘identifiable’? For example, if the audience type you want to 
see your ads is: 'UK, 18-25, female, affinity with take-away apps', then how can you possibly be granular enough to 
single someone out? That is very different to targeting ads to a specific person based on unique identifiers like IP 
address or based on their personal browsing history. 


| hope these comments are helpful. 


Kind regards 
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